Stuff:
OS: Linux, php: v4.4.0, MySQL v14.7, scripts are ran as CGI executables

Current installed Mods:
Xoops 2.0.14, protector 2.5, XOOPS poll blind, AMS 2.14
Note: I do need to install a couple more mods; a good calendar, and photo album.

Security is absolutely critical for this site and I am willing to pay for a knowlageble person (that has beeen running a XOOPS site for a while without being hacked) to help me work through some known problems and offer advice to make the site as secure as possible.

Known Problem 1: When I run the Protector Mod the security advisory warns...

'register_globals' : on Not secure
'allow_url_fopen' : on Not secure
'session.use_trans_sid' : on Not secure

I have been working on this for a week. This is what I know/tried so far:

I got an internal server error when I tried to create the .htaccess. When I contacted the host there reply was:
Quote:
The host recomended I create a php.ini file. I made 3 attempts at the php.ini from days of googling and placed it in the root of the site. All of them still get the security warnings. Here's that code:


Problems 2 & 3 I haven't even addessed yet:
2)'XOOPS_DB_PREFIX' : XOOPS Not secure

3)I'm really not sure if this is a problem or not but of the links in protector simply pull up my home page.
Contaminations:
http://mysite.com/index.php?xoopsConfig%5Bnocommon%5D=1
Isolated Comments:
http://mysite.com/index.php?cid=%2Cpassword+%2F%2A

I am also interested in any and all other security precautions help or advice.

If interested please PM me and we can discuss arrangements.

Regards,
Steve

Quote:

Oh man I just hate that.

Quote:

Change hosting company with one more professional.

php.ini files need to be placed in every folder that you want those directives enforced.. not just the root folder.. as php.ini files only affect the folder they are placed in and not any sub folders.

only htaccess files affect all folders under them..

don't use the php_flag tho in php.ini files

you only use php_flag in htaccess.. any php commands in htaccess when php is in CGI mode will produce a 500 internal server error.

Quote:

This wont help much as more and more hosts are moving towards phpsuexec, which is what you are on if .htaccess files generate a internal error 500 when attempting any php directives.

You should ask your host to edit the default php.ini file to change these if they dont let you change it yourself.

Your host should have a default php.ini file that covers your whole website. If they dont then change hosts.

within a php.ini file it should be

register_globals = Off
allow_url_fopen = Off
session.use_trans_sid = Off

Quote:

This can be done by:

1. going to Protectors Admin
2. Prefix Manager
3. Where it has a "Copy" button there should be a box, enter in a new Prefix.
4. Click on Copy
DO NOT DELETE YOUR OLD ONE JUST IN CASE YOUR SITE DOESNT WORK AFTER THE NEXT STEPS
5. load your FTP client.
6. Edit mainfile.php (you may have to change CHMOD temporarly)
7. Change the XOOPS db prefix from 'xoops' to your new one.
8. Save then Change your mainfile.php chmod back.

And your done

Quote:

Problem is that the php.ini is for server wide settings (main one), if they make custom changes it may break another person's application.

I have found it is best to use VPS (Virtual Private Servers).

The prices have become quite close to that of shared hosting and you have full control over your server space.

Shared hosting has to be a little loose on the security side of things to provide service to the highest number of web applications.

Quote:

I was actually talking about the default php.ini file that is (usually) supplied for your webspace. My hosts supply one and its edited within the control panel and using what i have said above works in it and works for all of my web space.

I agree with you to a point. The problem (for me) with shared hosting is that all you need is one weak application running in someone elses webspace (as you say, actually shared space to the server) and the whole server can be compromised.

A VPS on the other hand is isolated, on it's own partition with it's own OS and settings. A weak application on another VPS on the same host server will have a much less chance of affecting your site.